diff options
author | 2018-09-06 08:56:58 -0400 | |
---|---|---|
committer | 2018-09-06 08:56:58 -0400 | |
commit | 0adf8f882ccd6f306f9d76ae2b599ab41bee6471 (patch) | |
tree | 608321b0cb8f7eaee5d03b968f8b8a3f4ae89099 | |
parent | final cleanup (diff) | |
download | firejail-0adf8f882ccd6f306f9d76ae2b599ab41bee6471.tar.gz firejail-0adf8f882ccd6f306f9d76ae2b599ab41bee6471.tar.zst firejail-0adf8f882ccd6f306f9d76ae2b599ab41bee6471.zip |
final cleanup
-rwxr-xr-x | configure | 19 | ||||
-rw-r--r-- | configure.ac | 11 | ||||
-rw-r--r-- | src/common.mk.in | 3 | ||||
-rw-r--r-- | src/firejail/join.c | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 12 |
5 files changed, 2 insertions, 44 deletions
@@ -633,7 +633,6 @@ HAVE_WHITELIST | |||
633 | HAVE_USERNS | 633 | HAVE_USERNS |
634 | HAVE_NETWORK | 634 | HAVE_NETWORK |
635 | HAVE_GLOBALCFG | 635 | HAVE_GLOBALCFG |
636 | HAVE_BIND | ||
637 | HAVE_SECCOMP | 636 | HAVE_SECCOMP |
638 | EXTRA_LDFLAGS | 637 | EXTRA_LDFLAGS |
639 | EGREP | 638 | EGREP |
@@ -696,7 +695,6 @@ ac_user_opts=' | |||
696 | enable_option_checking | 695 | enable_option_checking |
697 | enable_apparmor | 696 | enable_apparmor |
698 | enable_seccomp | 697 | enable_seccomp |
699 | enable_bind | ||
700 | enable_globalcfg | 698 | enable_globalcfg |
701 | enable_network | 699 | enable_network |
702 | enable_userns | 700 | enable_userns |
@@ -1337,7 +1335,6 @@ Optional Features: | |||
1337 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] | 1335 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] |
1338 | --enable-apparmor enable apparmor | 1336 | --enable-apparmor enable apparmor |
1339 | --disable-seccomp disable seccomp | 1337 | --disable-seccomp disable seccomp |
1340 | --disable-bind disable bind | ||
1341 | --disable-globalcfg if the global config file firejail.cfg is not | 1338 | --disable-globalcfg if the global config file firejail.cfg is not |
1342 | present, continue the program using defaults | 1339 | present, continue the program using defaults |
1343 | --disable-network disable network | 1340 | --disable-network disable network |
@@ -3085,8 +3082,6 @@ fi | |||
3085 | 3082 | ||
3086 | 3083 | ||
3087 | # LTS marker | 3084 | # LTS marker |
3088 | EXTRA_CFLAGS+=" -DLTS " | ||
3089 | |||
3090 | 3085 | ||
3091 | HAVE_SPECTRE="no" | 3086 | HAVE_SPECTRE="no" |
3092 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Spectre mitigation support in gcc or clang compiler" >&5 | 3087 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Spectre mitigation support in gcc or clang compiler" >&5 |
@@ -3572,19 +3567,6 @@ if test "x$enable_seccomp" != "xno"; then : | |||
3572 | 3567 | ||
3573 | fi | 3568 | fi |
3574 | 3569 | ||
3575 | HAVE_BIND="" | ||
3576 | # Check whether --enable-bind was given. | ||
3577 | if test "${enable_bind+set}" = set; then : | ||
3578 | enableval=$enable_bind; | ||
3579 | fi | ||
3580 | |||
3581 | if test "x$enable_bind" != "xno"; then : | ||
3582 | |||
3583 | HAVE_BIND="-DHAVE_BIND" | ||
3584 | |||
3585 | |||
3586 | fi | ||
3587 | |||
3588 | HAVE_GLOBALCFG="" | 3570 | HAVE_GLOBALCFG="" |
3589 | # Check whether --enable-globalcfg was given. | 3571 | # Check whether --enable-globalcfg was given. |
3590 | if test "${enable_globalcfg+set}" = set; then : | 3572 | if test "${enable_globalcfg+set}" = set; then : |
@@ -4941,7 +4923,6 @@ echo " seccomp: $HAVE_SECCOMP" | |||
4941 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" | 4923 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" |
4942 | echo " apparmor: $HAVE_APPARMOR" | 4924 | echo " apparmor: $HAVE_APPARMOR" |
4943 | echo " global config: $HAVE_GLOBALCFG" | 4925 | echo " global config: $HAVE_GLOBALCFG" |
4944 | echo " bind: $HAVE_BIND" | ||
4945 | echo " network: $HAVE_NETWORK" | 4926 | echo " network: $HAVE_NETWORK" |
4946 | echo " user namespace: $HAVE_USERNS" | 4927 | echo " user namespace: $HAVE_USERNS" |
4947 | echo " whitelisting: $HAVE_WHITELIST" | 4928 | echo " whitelisting: $HAVE_WHITELIST" |
diff --git a/configure.ac b/configure.ac index a6bc44318..1660c2011 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -9,8 +9,6 @@ AC_PROG_INSTALL | |||
9 | AC_PROG_RANLIB | 9 | AC_PROG_RANLIB |
10 | 10 | ||
11 | # LTS marker | 11 | # LTS marker |
12 | EXTRA_CFLAGS+=" -DLTS " | ||
13 | |||
14 | 12 | ||
15 | HAVE_SPECTRE="no" | 13 | HAVE_SPECTRE="no" |
16 | AC_MSG_CHECKING(for Spectre mitigation support in gcc or clang compiler) | 14 | AC_MSG_CHECKING(for Spectre mitigation support in gcc or clang compiler) |
@@ -63,14 +61,6 @@ AS_IF([test "x$enable_seccomp" != "xno"], [ | |||
63 | AC_SUBST(HAVE_SECCOMP) | 61 | AC_SUBST(HAVE_SECCOMP) |
64 | ]) | 62 | ]) |
65 | 63 | ||
66 | HAVE_BIND="" | ||
67 | AC_ARG_ENABLE([bind], | ||
68 | AS_HELP_STRING([--disable-bind], [disable bind])) | ||
69 | AS_IF([test "x$enable_bind" != "xno"], [ | ||
70 | HAVE_BIND="-DHAVE_BIND" | ||
71 | AC_SUBST(HAVE_BIND) | ||
72 | ]) | ||
73 | |||
74 | HAVE_GLOBALCFG="" | 64 | HAVE_GLOBALCFG="" |
75 | AC_ARG_ENABLE([globalcfg], | 65 | AC_ARG_ENABLE([globalcfg], |
76 | AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults])) | 66 | AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults])) |
@@ -161,7 +151,6 @@ echo " seccomp: $HAVE_SECCOMP" | |||
161 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" | 151 | echo " <linux/seccomp.h>: $HAVE_SECCOMP_H" |
162 | echo " apparmor: $HAVE_APPARMOR" | 152 | echo " apparmor: $HAVE_APPARMOR" |
163 | echo " global config: $HAVE_GLOBALCFG" | 153 | echo " global config: $HAVE_GLOBALCFG" |
164 | echo " bind: $HAVE_BIND" | ||
165 | echo " network: $HAVE_NETWORK" | 154 | echo " network: $HAVE_NETWORK" |
166 | echo " user namespace: $HAVE_USERNS" | 155 | echo " user namespace: $HAVE_USERNS" |
167 | echo " whitelisting: $HAVE_WHITELIST" | 156 | echo " whitelisting: $HAVE_WHITELIST" |
diff --git a/src/common.mk.in b/src/common.mk.in index 64fe2b85a..95f375256 100644 --- a/src/common.mk.in +++ b/src/common.mk.in | |||
@@ -10,7 +10,6 @@ VERSION=@PACKAGE_VERSION@ | |||
10 | NAME=@PACKAGE_NAME@ | 10 | NAME=@PACKAGE_NAME@ |
11 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ | 11 | HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ |
12 | HAVE_SECCOMP=@HAVE_SECCOMP@ | 12 | HAVE_SECCOMP=@HAVE_SECCOMP@ |
13 | HAVE_BIND=@HAVE_BIND@ | ||
14 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | 13 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ |
15 | HAVE_NETWORK=@HAVE_NETWORK@ | 14 | HAVE_NETWORK=@HAVE_NETWORK@ |
16 | HAVE_USERNS=@HAVE_USERNS@ | 15 | HAVE_USERNS=@HAVE_USERNS@ |
@@ -24,7 +23,7 @@ C_FILE_LIST = $(sort $(wildcard *.c)) | |||
24 | OBJS = $(C_FILE_LIST:.c=.o) | 23 | OBJS = $(C_FILE_LIST:.c=.o) |
25 | BINOBJS = $(foreach file, $(OBJS), $file) | 24 | BINOBJS = $(foreach file, $(OBJS), $file) |
26 | 25 | ||
27 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_APPARMOR) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 26 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_APPARMOR) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
28 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 27 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
29 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | 28 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ |
30 | EXTRA_CFLAGS +=@EXTRA_CFLAGS@ | 29 | EXTRA_CFLAGS +=@EXTRA_CFLAGS@ |
diff --git a/src/firejail/join.c b/src/firejail/join.c index e78cc96fa..b22a6e054 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -214,7 +214,6 @@ pid_t switch_to_child(pid_t pid) { | |||
214 | void join(pid_t pid, int argc, char **argv, int index) { | 214 | void join(pid_t pid, int argc, char **argv, int index) { |
215 | EUID_ASSERT(); | 215 | EUID_ASSERT(); |
216 | char *homedir = cfg.homedir; | 216 | char *homedir = cfg.homedir; |
217 | pid_t parent = pid; | ||
218 | 217 | ||
219 | extract_command(argc, argv, index); | 218 | extract_command(argc, argv, index); |
220 | signal (SIGTERM, signal_handler); | 219 | signal (SIGTERM, signal_handler); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 2f25b6ede..594a6d83c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -685,10 +685,7 @@ int main(int argc, char **argv) { | |||
685 | int prog_index = -1; // index in argv where the program command starts | 685 | int prog_index = -1; // index in argv where the program command starts |
686 | int lockfd_network = -1; | 686 | int lockfd_network = -1; |
687 | int lockfd_directory = -1; | 687 | int lockfd_directory = -1; |
688 | int option_cgroup = 0; | ||
689 | int custom_profile = 0; // custom profile loaded | 688 | int custom_profile = 0; // custom profile loaded |
690 | int arg_seccomp_cmdline = 0; // seccomp requested on command line (used to break out of --chroot) | ||
691 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) | ||
692 | 689 | ||
693 | // drop permissions by default and rise them when required | 690 | // drop permissions by default and rise them when required |
694 | EUID_INIT(); | 691 | EUID_INIT(); |
@@ -849,7 +846,6 @@ int main(int argc, char **argv) { | |||
849 | } | 846 | } |
850 | arg_seccomp = 1; | 847 | arg_seccomp = 1; |
851 | cfg.seccomp_list = seccomp_check_list(argv[i] + 10); | 848 | cfg.seccomp_list = seccomp_check_list(argv[i] + 10); |
852 | arg_seccomp_cmdline = 1; | ||
853 | } | 849 | } |
854 | else | 850 | else |
855 | exit_err_feature("seccomp"); | 851 | exit_err_feature("seccomp"); |
@@ -862,7 +858,6 @@ int main(int argc, char **argv) { | |||
862 | } | 858 | } |
863 | arg_seccomp = 1; | 859 | arg_seccomp = 1; |
864 | cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15); | 860 | cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15); |
865 | arg_seccomp_cmdline = 1; | ||
866 | } | 861 | } |
867 | else | 862 | else |
868 | exit_err_feature("seccomp"); | 863 | exit_err_feature("seccomp"); |
@@ -875,7 +870,6 @@ int main(int argc, char **argv) { | |||
875 | } | 870 | } |
876 | arg_seccomp = 1; | 871 | arg_seccomp = 1; |
877 | cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15); | 872 | cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15); |
878 | arg_seccomp_cmdline = 1; | ||
879 | } | 873 | } |
880 | else | 874 | else |
881 | exit_err_feature("seccomp"); | 875 | exit_err_feature("seccomp"); |
@@ -894,10 +888,8 @@ int main(int argc, char **argv) { | |||
894 | exit_err_feature("seccomp"); | 888 | exit_err_feature("seccomp"); |
895 | } | 889 | } |
896 | #endif | 890 | #endif |
897 | else if (strcmp(argv[i], "--caps") == 0) { | 891 | else if (strcmp(argv[i], "--caps") == 0) |
898 | arg_caps_default_filter = 1; | 892 | arg_caps_default_filter = 1; |
899 | arg_caps_cmdline = 1; | ||
900 | } | ||
901 | else if (strcmp(argv[i], "--caps.drop=all") == 0) | 893 | else if (strcmp(argv[i], "--caps.drop=all") == 0) |
902 | arg_caps_drop_all = 1; | 894 | arg_caps_drop_all = 1; |
903 | else if (strncmp(argv[i], "--caps.drop=", 12) == 0) { | 895 | else if (strncmp(argv[i], "--caps.drop=", 12) == 0) { |
@@ -907,7 +899,6 @@ int main(int argc, char **argv) { | |||
907 | errExit("strdup"); | 899 | errExit("strdup"); |
908 | // verify caps list and exit if problems | 900 | // verify caps list and exit if problems |
909 | caps_check_list(arg_caps_list, NULL); | 901 | caps_check_list(arg_caps_list, NULL); |
910 | arg_caps_cmdline = 1; | ||
911 | } | 902 | } |
912 | else if (strncmp(argv[i], "--caps.keep=", 12) == 0) { | 903 | else if (strncmp(argv[i], "--caps.keep=", 12) == 0) { |
913 | arg_caps_keep = 1; | 904 | arg_caps_keep = 1; |
@@ -916,7 +907,6 @@ int main(int argc, char **argv) { | |||
916 | errExit("strdup"); | 907 | errExit("strdup"); |
917 | // verify caps list and exit if problems | 908 | // verify caps list and exit if problems |
918 | caps_check_list(arg_caps_list, NULL); | 909 | caps_check_list(arg_caps_list, NULL); |
919 | arg_caps_cmdline = 1; | ||
920 | } | 910 | } |
921 | 911 | ||
922 | 912 | ||